While states and in particular the military has since immemorial time classify their data for apparent issues of defending their territories, it is not the same as other public or private organizations. Some models are attractive from an intellectual point of view, such as the one described in FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems, http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf), the standard for classifying U.S. federal information, but complicated to implement and not necessarily adapted to the cloud. An excellent and simple practice is to ask the question of the classification regarding risks for the company: Low, Moderate, High, and therefore of potential damage in case of disclosure of this information.

As in the previous examples, information disseminated legally in public is at low, or even null, risk. A document concerning the process of manufacturing a product of the company may have a moderate risk, while the documents describing in detail the future revolutionary product can have a high risk for the future of the company.

Some vocabulary

It is, therefore, necessary to define the vocabulary defining the class in which the document is located according to the risk it potentially poses to the organization.

Risk

Terminologies 1

Terminology 2

Terminology 3

Low

Public

Unlimited

Unprotected

Moderate

Restricted

Limited Internally

Internal

High

Confidential

Secret

Restricted

Table 51 – Examples of classification terminology

There are classification systems with four or five levels. However, the complexity of a classification system is inversely proportional to its use. It is infinitely better to have a simple and useful system than a powerful and unused one.

Classify risks and effects

The advantage of the classification of risk in three levels: low, moderate and high, is that it is understood by all the employees of the organization. Here is the definition of FIPS 199:

Low: The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Moderate: The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

High: The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The FIPS 199 then defines the limited, serious and catastrophic effects:

Limited: A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals (this last point makes sense in a military context, rarely in a business one).

Serious: A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (ii) result in significant damage to organizational assets; (iii) result in significant financial loss; or (iv) result in significant harm to individuals that does not involve loss of life or serious life-threatening injuries

Catastrophic: A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (i) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (ii) result in major damage to organizational assets; (iii) result in major financial loss; or (iv) result in severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries.

We can also define a zero risk for freely available information, such as those published on a website accessible to everyone or spam messages received, which have no value. This risk is associated with the documents, data, and applications of the companies that are not then classified. This greatly facilitates the classification process. It can indeed be assumed that any information that has no impact on the operations or assets of the organization does not need to be classified.

Although the definitions may evolve from one organization to another, the limits are well defined and can be explained to the employees.